Do Data Breach Laws Push Compliance?
CIO Australia recently posted an article suggesting that data breach notification laws drive compliance. Bob Russo is quoted quite a bit in the article, but there is a part that is missing. It's not Bob's fault, he is speaking from the Council's perspective. He hit the bullseye.
But what Bob does not say is what is really driving compliance.
I've been doing PCI/CISP compliance work since 2004, not quite two years AFTER the September 26, 2002 filing of California's SB 1386--the first State Data Breach Law. Unfortunately, many companies did not pay too much attention to it until several years later when other states started passing similar laws, especially when Minnesota passed the Plastic Card Security Act in 2007. Being in the trenches dealing with companies, I can definitely say that before 2007, the feeling in the PCI world was "We'll get to it... if we ever do." By 2007, I had a list of clients that had failed their annual assessment three or more years in a row, with little to no improvement year over year1.
During 2007, however, we saw a dramatic uptick in the reported compliance rates of Merchants2 of all levels. Let's think back to 2007. Is it data breach laws that caused this uptick? It could have, but that's a significant 4 year delay (allowing for some variance).
What else happened in 2007?
Visa announced their Compliance Acceleration Program! Remember that? The original plan was that fines would start if compliance was not reported by September 30, 2007. Visa later offered a three month rebate if compliance was met by December 31, 2007. Not to mention, if you were subject to Tiered Interchange, you did not qualify for the best available tier!
Holy crap, talk about lighting a fire!
One of our customers figured out that their cost of non-compliance was $40 million in lost rebates! WOW! That's a motivator if I've ever heard of one--especially if your compliance costs are under $80 million over 2 years! Presumably, your maintenance costs should be SIGNIFICANTLY lower (especially if you purchased VeriSign's PCI Program Management offering!). Shameful plug?
If anything has pushed compliance, fines (or a real threat of) seem to be the main motivating factor, not laws.
Now, one difference between the US and the rest of the world that could make a difference is that here in the US we are inundated by breach notices. For credit card breaches, the damage is pretty minimal (more than credit card such as SSN is definitely a MUCH bigger problem), and I think most of us ignore it and continue shopping. After spending a few days in the UK, there are some groups that believe required notification upon a breach will be a massive motivator, until THEIR citizens are inundated and then don't care anymore.
The moral of this post? My experience tells me that fines are a much bigger motivator to pushing compliance to a particular standard versus data breach laws. If you want to get companies to comply, affect their business. After all, security and compliance is a BUSINESS issue. Properly motivated, it will be addressed.
________________________________________
1 Albeit, in the Merchant's defense, CISP had changed several times since 2001, and the original PCI Standard was released and amended by 2007 such that we were then working under version 1.1.
2 Reported compliance is different from actual compliance.... remember that.
Comments
Branden, "compliance" or "validation"? There has certainly been a motivation to validate (many do it quickly and cheaply in my experience). Note, I would argue that the threat of massive lawsuits by issuing banks, consumers and regulators has been more of a motivator than threatened fines (especially when the card brands backed off of the 2007 deadline -- they played chicken and lost).
I also disagree on the breach notice laws, although it is difficult for either of us to stake a position without good data. The breach notice laws, in my experience, in terms of PII breaches have had a tremendous impact on companies trying to achieve reasonable security. Pre-SB 1386 there was little lawsuit risk, and now it is not unusual at all to get sued post notice. That has motivated a lot of companies (especially brand names).
That said I think PCI has had an impact as well (although I think it has serious problems as a regulatory scheme -- more on that soon in a post). In fact I think that PCI and breach notice laws as a combo are probably driving more companies to look at security. Unfortunately, many treat PCI as a compliance exercise as opposed to a risk management exercise (which is another problem with the PCI regulatory scheme).
Cheers! I hope all is well with you!
Dave
Posted by: David Navetta | May 27, 2009 6:55 AM
Fantastic points Dave!!! I was hoping you would chime in here!
Agree on losing the game of Chicken, but we typically see Issuing Banks, Consumers, and to some extent, Regulators operate in the past. Meaning that an event has to happen FIRST, THEN they take action. Unfortunately, action tends to follow a major event like a breach. My experience with PCI tells me that companies actively trying to get ahead of compliance are in the minority, even AFTER the Visa CAP.
I’m GLAD that you disagree on the breach notice laws. Most of what I have seen and heard in the industry is that there is grave concern around the issue, but PII projects are put on the back burner in favor of PCI (first) or HIPAA/HiTRUST (second). It feels like companies are going after the kid setting fires by putting them out after they get big enough to see, as opposed to taking the kid’s matches away.
Treating symptoms only gets you so far. Treating the cause will take you all the way.
Posted by: Branden Williams | May 27, 2009 8:38 AM
Branden, I hear you on the issue of priorities. More "well defined" obligations tend to get attention because they are, in theory, easier, to address.
Engaging in a comprehensive risk management approach to security that involves IT, risk management, legal, PR functions, and insurance, and efforts to assess risk and mitigate or transfer risk to an acceptable level (for the organization and for society). Of course if you engage in that first, all of those well-defined obligations tend to take care of themselves.
So, do these regulations/PCI requirements degrade the approach to achieving some level of reasonable security? Or do they enhance it because it focuses organizations on things they would have ignored anyway? How can we tell?
Posted by: David Navetta | May 27, 2009 11:56 AM
Very valid question! That is something that history will have to tell us, and I think we have to wait a few years before we have enough data to answer that.
Posted by: Branden Williams
|
May 27, 2009 12:27 PM